Hello guys, welcome to my writeup. I will get to the subject without further ado
First of all, we need to know;
Load-Time: Before a software starts running, it has a load time. It installs its requirements until the program is fully functional (Libraries, Memory Regions)
Function Hooking: Replacing or editing a function given in the software with a fake function.
See the Functions used by a software;
You can use the ftrace binarys used by the majority in linux to see the functions used in the software.
Let’s Start
Now I assume that we open linux and compile the following code:
#include <stdio.h> int main(){ puts("Hello world !"); }
Compiling : gcc hello.c -o hello
What we’re going to do now is to replace this set function with the fake sets we provided at load time. Thus, the function we wrote will work, not the function written in the program.
Writing the Fake library to hook the function:
For the puts function, the creation of the fake library is as follows:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
int puts(const char *message) {
int (*new_puts)(const char *message);
new_puts = dlsym(RTLD_NEXT, "puts");
return new_puts("Hijacked!");
}
The library is simply puts (); Creates a fake of the function dlsym (); allows it to replace the original thanks to its function.
The dlsym(); function takes two arguments. The first of these, the RTLD_NEXT enum, tells the dynamic loader API part to return to the next instance linked with the 2nd argument. The last argument is asking for the name of the sample to be returned to, and this is the puts function, which we will substitute forged.
return new_puts(“Hijacked!”);
Here, puts (); The function that will replace the function is specified.
Compiling the library and transferring it to LD_PRELOAD
Compiling The Library :
gcc evil_library.c -o evil_library.so -fPIC -shared -ldl -D_GNU_SOURCE
The LD_PRELOAD environment variable can execute the library we provided at the moment the running software starts, so that we can manipulate the software.
In summary, when we assign the .Library path to the LD_PRELOAD environment variable, the library is enclosed in the running file.
Export our library to LD_PRELOAD environment variable with export command
export LD_PRELOAD="/home/mehmet/evil_library.so"
Now, when our program is run, instead of “Hello world”, “Hijacked!” He will give our message.